Biometric reference template record

ABSTRACT

Systems and methods provide for secure and efficient token generation, management, transfer, and authentication services in a biometric data environment. Various embodiments relate to a method performed by a processor of an authentication computing system. An example method includes receiving a biometric reference sample and a user identifier. The user identifier uniquely identifies a user from whom the biometric reference sample was captured. The biometric reference sample is processed to generate biometric data. The biometric data is tokenized using a tokenization schema. A biometric reference template is generated and includes a template identifier uniquely identifying the biometric reference template. The template identifier is associated with the user identifier. The biometric reference template further includes the tokenized biometric data, and a first identifier signifying that the biometric reference template includes tokenized biometric data.

BACKGROUND

Biometric technology is used to confirm the identity of an individual toprovide secure access to electronic systems (e.g., to perform financialtransactions). After an individual enrolls in a biometric service (e.g.,provides biometric data and a non-biometric means of confirming anidentity), the individual can be authenticated via the biometricservice. Biometric authentication (i.e., identification and validation)leverages the universally recognized fact that certain physiological orbehavioral characteristics can reliably distinguish one person fromanother. Biometric technology includes both automatically collecting andcomparing these characteristics. Digital representations of thesecharacteristics are stored in an electronic medium, and later used toauthenticate the identity of an individual.

SUMMARY

Various embodiments relate to a method performed by a processor of anauthentication computing system. An example method includes receiving abiometric reference sample and a user identifier. The user identifieruniquely identifies a user from whom the biometric reference sample wascaptured. The biometric reference sample is processed to generatebiometric data. The processed biometric data is tokenized using atokenization schema. A reference template and a biometric referencetemplate record is generated. The reference template is included in thebiometric reference template record. The biometric reference templaterecord includes a template identifier uniquely identifying the referencetemplate. The template identifier is associated with the useridentifier. The reference template further includes the tokenizedbiometric data, and a first identifier signifying that the biometricreference template includes tokenized biometric data.

Various other embodiments relate to an authentication computing system.An example system includes a database of a plurality of biometricreference template records containing tokenized biometric data andprocessor and instructions stored in non-transitory machine-readablemedia. The instructions are configured to cause the server system toreceive a biometric reference sample and a user identifier. The useridentifier uniquely identifies a user from whom the biometric referencesample was captured. The biometric reference sample is processed togenerate biometric data. The biometric data is tokenized using atokenization schema. A biometric reference template record is generatedand includes a template identifier uniquely identifying biometricreference template record. The template identifier is associated withthe user identifier. The biometric reference template record furtherincludes a reference template that contains the tokenized biometricdata, and a first identifier signifying that the biometric referencetemplate record includes tokenized biometric data.

Various other embodiments relate to a method performed by a processor ofan authentication system. An example method includes receiving abiometric reference sample and a user identifier. The user identifieruniquely identifies a user from whom the biometric reference sample wascaptured. The biometric reference sample is processed to generatebiometric data. A biometric reference template is generated. Thebiometric reference template includes a template identifier uniquelyidentifying the biometric reference template. The template identifier isassociated with the user identifier. The biometric reference templatealso includes the biometric data. The biometric reference template istokenized using a tokenization schema.

Various embodiments relate to a method performed by a processor of anauthentication computing system. An example method includes receiving abiometric reference sample and a user identifier. The user identifieruniquely identifies a user from whom the biometric reference sample wascaptured. The biometric reference sample is processed to generatebiometric data. The processed biometric data is tokenized using atokenization schema. A reference template is generated and publishedonto a public repository. A pointer (e.g., in the form of a URI) isgenerated and relate to the location of the user's reference template.The pointer can be used by the user for subsequent identityverification.

These and other features, together with the organization and manner ofoperation thereof, will become apparent from the following detaileddescription when taken in conjunction with the accompanying drawings,wherein like elements have like numerals throughout the several drawingsdescribed below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a biometric authentication system,according to an example embodiment.

FIG. 2 is a flow diagram of a method of generating a biometric referencetemplate record, according to an example embodiment.

FIG. 3 is a flow diagram of a method of authenticating a biometricsample, according to an example embodiment.

FIG. 4A is an illustration of a tokenized string of biometric data andidentifiers in a biometric reference template record, according to anexample embodiment.

FIG. 4B is an illustration of a tokenized string of biometric data andidentifiers in a reference template, according to an example embodiment.

FIG. 5 is a flow diagram of a method of altering a biometric referencetemplate record, according to an example embodiment.

FIG. 6 is a flow diagram of methods of authenticating a biometric samplein public/pointer-based authentication system, according to an exampleembodiment.

DETAILED DESCRIPTION

Biometrics can be used for human identification and authentication forphysical and logical access. Logical access can include access toapplications, services, or entitlements. Authentication systems requirethat the party that wishes to be authenticated has enrolled a biometricreference template at a biometric service provider (“BSP”) or similarentity. A biometric reference template is a digital reference ofdistinct characteristics of an individual obtained by processing one ormore biometric samples from the individual. Current security techniquesfor protecting biometric data confidentiality in biometric referencetemplates have considered encryption for securely transferringbiometrics. Protection by encryption may be performed by a BSP thatmanages a store of biometric templates. Issues arise when an attacker,including an insider attacker, gains access to the BSP's store ofbiometric reference templates, as well as the individual users'biometric data. Currently, to protect the confidentiality of personallyidentifiable biometric data, symmetric key encryption can be used (e.g.,as set forth in ISO 19092 and X9.84 biometric information security andmanagement standards for financial services). However, the use ofencryption requires the overhead of key management system architectureand corresponding processing requirements to meet and maintain keymanagement requirements. In addition, once biometric data has beenprocessed (e.g., to generate a reference template), it is not possibleto reconstruct the raw biometric data from the processed sample ortemplate. Accordingly, changes or updates to processing technology mayrequire a user to re-enroll in the biometric service by resubmitting oneor more new biometric reference samples. Additionally, use andmanagement may be cumbersome, if not impractical, if multiple processingmethods exist for a particular biometric data type.

Subsequent to enrollment, biometric reference templates are used duringbiometric authentication processes. Biometric authentication processesinclude verification and/or identification. Verification is the processof comparing a match template against a specific reference templatebased on a claimed identity (e.g., user ID, account number, etc.).Verification is a “one-to-one” comparison that entails comparing a matchtemplate generated from a newly captured sample with a previouslygenerated reference template stored in a database or on an ID card.Identification is the process of comparing a submitted biometric sampleagainst some or all enrolled reference templates to determine anindividual's identity. Identification is a “one-to-many” comparison thatentails the comparison of a match template generated from a newlycaptured sample with all of the templates in the database. It is mostoften used to determine whether or not a person has previously enrolledin the system.

Referring generally to the figures, systems, and methods for tokenizingand storing biometric information are described herein. Embodimentsrelate generally to the methods and processes for generating biometricreference template records. An example biometric reference templaterecord includes (1) identifiers (e.g., identifiers or informationrelated to the biometric type, processing info, etc.) and (2) areference template (which includes the processed biometric data) that istokenized. Tokenization is a form of obfuscating the cleartext such thatit is replaced with a pseudonym data element in the form of a token.Generally, the tokenization of data is processed by a tokenizationservice provider (“TSP”). Embodiments described herein include methodsand processes for applying tokenization techniques and generatingbiometric reference templates that protect the confidentiality ofpersonally-identifiable biometric data stored in a biometric referencetemplate record that is created when a person enrolls in a biometricsystem. The embodiments include processes for processing and storingbiometric reference template records such that the sensitive plaintextbiometric data on the reference template is protected by tokenization.Various embodiments describe a process for creating a reference templatethat contains tokenized biometric data. Various arrangements describe aprocess for creating a biometric reference template record that containsa reference template, which may include tokenized biometric data.Various embodiments include digitally signing one or both of thebiometric reference template record and the reference template to ensurethe integrity and authenticity of origin for all information includedtherein. Also described is a method for retrieving the originalplaintext biometric data from a token stored in a biometric referencetemplate. Various embodiments provide a tokenization schema and systemthat limits the success of third-party attacks to access the biometricdata of individuals via a multi-facetted authentication system.

Various embodiments include systems and methods for attaching varioustypes of information to a biometric reference template record. Forexample, the information attached to a biometric reference templaterecord may indicate the tokenization schema and specific tokenizationmethods applied to protect plaintext biometric data, and the process forsubsequently retrieving the plaintext biometric data from the token inthe reference template. For example, some embodiments utilize aglobally-unique information object identifier (“OID”) as specified inthe ISO/IEC 9834-1 standard. In some embodiments, an OID can be used inan instance of SignedData. SignedData is a cryptographic message,defined in the X9.73 financial industry security standard, that canindicate that the type of content being signed in a message is areference template whose biometric data element has been tokenized.Signing, e.g., via SignedData, can be performed on the referencetemplate level or on the biometric reference template record level. Thisfirst OID alerts the cryptographic message processing tools of the needto perform subsequent token processing once the signature verificationprocessing of the SignedData message has been completed. A second OIDidentifies the tokenization schema used to tokenize the referencetemplate in the biometric reference template record. This OID can bepaired with an ASN.1 “open type,” which can contain any arbitrary dataof any type or format needed to identify the specific tokenizationmethod applied to the tokenized biometric data, as well as any dataneeded for processing the token. In other arrangements, signedattributes are used during the digital signature process in place of, orin addition to, OIDs. Signed attributes provide a means of associatingarbitrary information with the biometric data in a biometric template.For example, this component may be used to carry application specificinformation related to use of a biometric template, such as an encryptedchip card identification number, a bank identification number andblinded customer account number, or other information related toprocessing the reference template. After performing the SignedDatasignature verification, subsequent processing allows the plaintextbiometric data to be recovered from the tokenization element by amessage recipient. This element can be in the form of a simple obliquevalue (e.g., a string of octets) or structured content that contains thetokenized biometric data value and any information needed to recover theplaintext, such as the URL address of a BSP or web service, anindication of the specific tokenization technique being used, or anyother required data or authentication information. The informationneeded for token processing can be contained in an attribute of theSignedData message that may be cryptographically bound to the biometricreference template being signed under the same digital signature.

These embodiments abrogate the issues with the current biometricsecurity and storage ecosystems, as the use of the specific tokenizationtechniques and schema protect biometric data during transfer and whileat rest. The biometric authentication system, according to variousembodiments, provides a more effective and efficient way to transportbiometric information securely. The secure transport and protection ofthe biometric data is in accordance with industry standards and allowsthe user of the biometric authentication system to restrict access tosensitive biometric data to those with a need-to-know. The biometricreference template records can be stored, transferred, distributed, orused securely, without loss of confidentiality. Additionally, thebiometric reference template records described herein resolve the issueof uncertainty of the processing information or algorithm used togenerate the biometric data, allowing a biometric reference template topotentially store multiple biometric types and processing algorithmsinside the biometric reference template record. The biometricauthentication system allows for real-time authentication of individualsusing biometrics while maintaining the security posture of the system toensure that the biometric data is safe from man-in-the-middle attacksand data breaches.

Further, the methods and systems described herein alleviate the strainon processing power and memory components currently required to manage,store, and authenticate secure biometric data. Embodiments describedherein utilize a less strenuous processing method through a specifictokenization system and do not have the overhead of meeting andmaintaining key management requirements as required in currentauthentication systems. Processing power is alleviated by the use ofOIDs and signed attributes to identify the processing algorithm used forthe biometric data. For example, in some embodiments, a biometricreference template record may process two biometric data types using twodifferent algorithms that are easily discernable through the OIDs.Therefore, the biometric authentication system reduces the processingpower and memory storage requirements necessary to provide secure accessto biometric data for authentication of individual requesting entities.Additionally, the biometric authentication system reduces the amount oftime required to identify and reprocess biometric information stored ina biometric reference template.

In addition, methods and systems described herein improve biometricprocessing systems by enabling biometric processing techniques to bechanged over time without requiring users to re-enroll in the service byproviding new biometric samples. Typically, once biometric data has beenprocessed (e.g., to generate a biometric reference template), it is notpossible to reconstruct the raw biometric data from the processed sampleor template. Various embodiments include tokenizing the raw biometricdata so that the data may be securely accessed and reprocessed inaccordance with new or otherwise different biometric processingtechniques. Accordingly, embodiments solve technical problems related toimplementing new biometric processing techniques without requiring usersto submit biometric samples.

FIG. 1 is a schematic diagram of a biometric authentication system 100,according to an example embodiment. The biometric authentication system100 includes a BSP computing system 102, a TSP computing system 104, andone or more customer computing systems 106. Each of the BSP computingsystem 102, the TSP computing system 104, and the customer computingsystems 106 is in operative communication with the others via a network108. The network 108 may include, for example, the Internet, cellularnetworks, proprietary banking networks, and the like.

Generally, the biometric authentication system 100 is used toauthenticate an enrolled user (e.g., a customer, account holder of afinancial institution, etc.) of a service that requires authentication.Although various embodiments are described in connection with users offinancial systems, it should be understood that the systems and methodsdescribed herein may similarly be used to provide biometricauthentication in any type of system, such as enterprise security andother types of systems. While the TSP computing system 104 and the BSPcomputing system 102 are shown as separate entities in FIG. 1, in someembodiments the BSP computing system 102 performs some of or all of thefunctions of the TSP computing system 104, as described herein. In someembodiments, one or both of the BSP computing system 102 and the TSPcomputing system 104 are managed and operated by a financialinstitution. However, in other embodiments, one or both of the BSPcomputing system 102 and the TSP computing system 104 are managed andoperated by a third-party that is external to a financial institution.

The BSP computing system 102 includes a network interface circuit 110, abiometric sensor 112, a template generation circuit 114, a templatemanagement circuit 118, and a biometric reference template recorddatabase 122. The BSP computing system 102 may, for example, include oneor more servers each with one or more processors configured to executeinstructions stored in a memory, send and receive data stored in thememory, and perform other operations to implement the financial servicesdescribed herein. The network interface circuit 110 is structured tofacilitate operative communication between the BSP computing system 102and other systems and devices over the network 108.

The biometric sensor 112 is structured to capture a biometric samplefrom an individual and to process the biometric sample to generate thebiometric data. The biometric data may be referred to as “raw” biometricdata. For example, the sensor can be structured to read a fingerprint,voice print, or other biometric marker. Generally, the biometric sensoris any device that supports the capture of biometric data. In someembodiments, the request is initiated by an employee of the BSP enteringdata into a computing system (e.g., an employee terminal connected tothe server of the BSP) during a person-to-person interaction. Forexample, the user (e.g., the customer) may walk into a branch locationof the BSP and initiate an enrollment request, a biometric referencetemplate update, or a service requiring biometric authentication.

The template generation circuit 114 is structured to generate, manage,catalog, and associate a user's biometric reference template record witha user identifier. Generally, the template generation circuit 114controls enrollment, the process through which the user's identity isbound with biometric data, and entered into the system database as abiometric reference template. To generate a biometric reference templaterecord, the template generation circuit 114 first receives a biometricreference sample and a user identifier. The template generation circuit114 processes the biometric reference sample to generate the biometricdata. The template generation circuit 114 transmits the biometric datato the TSP computing system 104 to be tokenized. The template generationcircuit 114 receives from the TSP computing system 104 a tokenizedbiometric data string which the template generation circuit 114 uses togenerate the biometric reference template record. The biometricreference template record includes a template identifier uniquelyidentifying the biometric reference template, the tokenized biometricdata, and a first identifier signifying that the biometric referencetemplate includes tokenized biometric data. The template identifier isassociated with the user identifier and used for locating the biometricreference template records in the database 122. In some embodiments, thetemplate generation circuit 114 digitally signs (e.g., cryptographicallybinds) the reference template containing the tokenized biometric datawith other information, before including it in the biometric referencetemplate record. In other embodiments, the template generation circuit114 digitally signs biometric reference template record including thereference template and the additional identifiers. In some arrangements,the digital signing is performed using SignedData cryptographic messagesyntax to generate a SignedData message and binding additionalidentifiers (e.g., OIDs) and other information to the biometricreference template record to create a signed message. In someembodiments, the digital signing is performed on a hash of the biometricreference template record, allowing the biometric reference templaterecord to be authenticated with the hash while limiting processingissues.

The template generation circuit 114 is structured to add identifiers tothe biometric reference template record. As previously stated, thebiometric reference template record includes these identifiers and thereference template, which includes the tokenized biometric data. Theidentifiers are either within the biometric reference template record orassociated therewith during the digital signature process. An example ofthis biometric reference template record is shown in FIG. 4A, containinga plurality of OIDs within a single biometric reference template record.The identifiers can be stored as one or more attributes in a digitalsignature bound to the biometric reference template record or a hashthereof, or stored within the biometric reference template record. Theidentifiers can include, for example, a uniform resource identifier(“URI”) query string including a uniform resource locator (“URL”)signifying a tokenization service provider capable of recoveringplaintext of the tokenized biometric data; a template identifier and auniversally unique identifier signifying a database that contains thebiometric reference template; and the like. In some embodiments, theidentifiers are within the reference template stored in the biometricreference template record. In those embodiments, the template generationcircuit 114 digitally signs the tokenized biometric data and a secondidentifier signifying the tokenization service provider. An example ofthis biometric reference template record is shown in FIG. 4B, containinga plurality of OIDs within a single reference template in a biometricreference template record. In arrangements where the BSP is the TSP, asecond identifier (either within the biometric reference template recordor the reference template) signifies the tokenization schema used totokenize the biometric data. In other embodiments, the templategeneration circuit 114 digitally signs both the biometric referencetemplate record and the second identifier signifying the TSP thattokenized the biometric data. For example, the template generationcircuit 114 may use SignedData cryptographic message syntax to generatea SignedData message, and may bind a second identifier signifying theTSP to the SignedData message. Identifying the tokenization schema oneach biometric reference template record would facilitateinteroperability in a system with multiple TSPs. An example method ofgenerating the biometric reference template record is described below inmethod 200 of FIG. 2.

The template generation circuit 114 may also retrieve the raw biometrictemplates stored on in the raw biometric sample database 126 in order toprocess them using a different processing method and to replace thetemplates in the reference template database 122. The templategeneration circuit 114 can also receive a new biometric template sample,either to refine or replace an existing biometric reference templaterecord. Upon receiving a biometric template sample and a useridentifier, the template generation circuit 114 may check to see if therequesting identifier already exists on the database. If no entryexists, the template generation circuit 114 can create a new useridentifier, tokenize the supplied biometric sample, and assign thebiometric reference template record to the newly generated useridentifier. If an entry does exist, the template generation circuit 114may determine whether the biometric type of the supplied biometrictemplate sample matches any existing biometric sample. The templategeneration circuit 114 can also then add the biometric template sampleto the reference template. In some arrangements, the new biometrictemplate sample will replace an existing biometric data string withinthe biometric reference template record. An example of replacing thereference template in the biometric reference template record isdescribed below in method 500 of FIG. 5.

The authentication circuit 116 is structured to authenticate a providedbiometric sample to a biometric reference template record in thedatabase. The authentication circuit 116 is structured to processauthentication requests for identification and verification(verification requests may include an identifier of a user from whom thebiometric sample was captured). The authentication circuit 116 isstructured to receive the authentication request from the customercomputing system 106 over the network 108 and generate the correspondinginstructions to authenticate the sample. For example, the authenticationcircuit 116 may receive a biometric sample of a fingerprint, along withthe corresponding user identifier for a verification of the useridentifier with the associated biometric reference template record inthe database 122. The BSP authentication circuit 116 generates thecorresponding instructions to retrieve the biometric reference templaterecord on file for the user identifier. If no template exists for thatuser identifier, the authentication circuit 116 can provide a failedauthentication value to the requesting entity, including a notificationof the failed authentication or steps to initiate a user biometricsystem enrollment process. In some embodiments, the authenticationcircuit 116 may receive a biometric reference template record inaddition to the biometric sample.

Upon retrieval of the stored biometric reference template record 124,the authentication circuit 116 can determine how to use the biometricreference template record to authenticate the biometric sample. In somearrangements, the authentication circuit 116 is able, withoutdetokenizing the template, to determine whether the template has thesame biometric type as the biometric sample. In other arrangements, theauthentication circuit 116 must first detokenize the template, bysubmitting a detokenize request with the TSP computing system 104,before the determination can be made. If the template does not have thebiometric data type similar to the sample, the authentication circuit116 may reject authentication and can provide the requesting entity alist of the biometric data types that are stored in the template. Insome embodiments, the authentication circuit 116 is structured toprovide the requesting party with the biometric reference templaterecord used for matching. The used template can be transmitted alongwith the authentication value to the requesting entity. Thisauthentication process (verification and/or identification) is shown ingreater detail in method 300 of FIG. 3.

In some embodiments where the BSP and the TSP are the same entity, theauthentication circuit 116 can detokenize the entire biometric referencetemplate record. This is achieved by first identifying the first OIDthat signifies that the data is tokenized and then by identifying thesecond OID to determine the tokenization schema used. For example, thebiometric reference template record may contain three biometric typeswith an OID for each type and an OID indicating the tokenization methodused to tokenize the entire string. The authentication circuit 116identifies the tokenization method, detokenizes the entire string, andthen uses the specific data string of the biometric type to compare tothe biometric sample. In other arrangements, the authentication circuit116 is able to identify and parse out from the biometric referencetemplate record, the information string of the same biometric type asthe provided sample.

The template management circuit 118 is structured to organize andretrieve stored biometric reference template records that are associatedwith the user enrolled at the BSP. The template management circuit 118receives a generated template from the template generation circuit 114to store in the reference template database 122. The template managementcircuit 118 interacts with the authentication circuit 116 to provide aspecific template for verification or a plurality of templates foridentification from the reference template database 122. In someembodiments, the template management circuit 118 receives a newbiometric reference template record from the TSP computing system 104 toassign to the user enrolled at the BSP. In some arrangements, thetemplate management circuit 118 facilitates the storage of the biometricreference template record in a public repository (e.g., a cloud, ablockchain, etc.) for a public/pointer-based authentication system,similar to method 600 and 606 described below in connection with FIG. 6.

In some arrangements, the template management circuit 118 is structuredto generate and maintain event journal entries in a repository. Theevent journal entries are associated with a biometric reference templaterecord and may relate to events regarding generation, authentication,and the like. The compliance of any authentication system as to itsconsistency and accuracy requirements is often ascertained by an audittrail in an event journal. Compliance can be validated internally by anorganization or by an external third party. Independent third partiescan validate compliance or issue a formal attestation report that can bemade public. Mechanisms are in place to ensure the detection of adeletion, addition, modification, or similar action to an event entry.The event journal is attributable to authenticated sources and may bedigitally signed (or protected by some other means) to meet theserequirements. The event journal entries can include, for example:enrollment, enrollment failure, verification, verification failure,identification, identification, termination, addition, deletion,modification, injection, summary, and archive. The event journal recordcan also include information related to the biometric reference templaterecord associated with the generated event journal record. For example,a “BiometricHeader” may be used to identify the user identifier or thebiometric type involved in the generation of the event journal log.Additionally, just the tokenized data could be placed in the eventjournal log record with the additional identifiers, information, ormetadata. In some arrangements, because of the tokenization of theinformation in the event journal log, the event journal log can besigned, time stamped, and stored in an accessible repository, forexample a blockchain. The date and time in each event journal recorddefinition would indicate when the record was created by the BSPcomputing system 102. Storage in a blockchain would allow auditing fromauthorized entities while being restricted through use of a privateblockchain or using cryptography in a shared blockchain.

The biometric reference template record database 122 is structured tostore the biometric reference template records and corresponding useridentifiers for all of the users that have enrolled in the biometricauthentication service with the BSP. The biometric reference templaterecord database 122 can update or replace an existing biometricreference template record 124 with a new biometric reference templaterecord when the user provides an additional biometric sample. Thebiometric reference template record database 122 provides the specificbiometric reference template record 124 in response to a verificationrequest for a user identifier, which may be analyzed to determinewhether a specific biometric sample matches the specific biometricreference template record 124.

The raw biometric sample database 126 is structured to store, off of thenetwork 108, the raw, detokenized biometric data for all the usersstored in the BSP computing system 102. The raw biometric data is storedso that it can be reprocessed using a new processing method, if the needarises. For example, a specific first algorithm is used to tokenize andprocess all the raw biometric data. However, a second algorithm may bedeveloped and preferred over the first method. The raw biometric data inthe raw biometric sample database 126 is processed using the new secondprocessing algorithm and replaces the corresponding biometric referencetemplate records in the database with the new tokenized templates. Forsecurity purposes, the raw biometric sample database 126 can be storedoff of networks and only accessed to add new raw biometric data to thedatabase or to reprocess the raw data using a new algorithm, therebypreventing access through an outside attack.

The TSP computing system 104 includes a network interface circuit 130, atokenization circuit 132, and a token vault 134. The TSP computingsystem 104 may, for example, include one or more servers each with oneor more processors configured to execute instructions stored in amemory, send and receive data stored in the memory, and perform otheroperations to implement the financial services described hereinassociated with the processing modules, databases, and processes. Insome embodiments, some or all of the TSP computing system 104 is managedby the BSP computing system 102.

The network interface circuit 130 is structured to facilitate operativecommunication between the TSP computing system 104 and other systems anddevices over the network 108.

The tokenization circuit 132 is structured to organize and facilitatethe tokenization (e.g., obfuscating the cleartext with a token) of anybiometric data received. This includes tokenizing and detokenizing thereference templates in the biometric reference template records from theBSP computing system 102. In some arrangements, the tokenization circuit132 may provide an OID with the tokenized biometric data returned to theBSP computing system 102 for inclusion in the biometric referencetemplate record. For example, the OID could represent a TSP identifier,tokenization schema, or other information to assist the TSP computingsystem 104 in processing a tokenization request from the BSP computingsystem 102. In some arrangements, the BSP computing system 102 maytransmit a detokenization request with the biometric reference templaterecord to the TSP computing system 104. In other arrangements, the BSPcomputing system 102 may transmit a detokenization request with just thereference template in the biometric reference template record to the TSPcomputing system 104. In some arrangements, the tokenization circuit mayexamine an OID (e.g., either as a signed attribute or included in thetemplate) with the biometric reference template record from the BSPcomputing system 102.

In one embodiment, the tokenization circuit 132 is structured togenerate a token recovery service attribute, which can be included in abiometric reference template record to specify the parameters forrecovering plaintext biometric data. In one embodiment, a token recoveryservice attribute is represented by a tokenRecoveryService informationobject of class ATTRIBUTE and is defined as:

-   -   tokenRecoveryService ATTRIBUTE::={        -   WITH SYNTAX URI        -   ID id-tokenRecoveryService    -   }

In an embodiment, the token recovery service attribute includes a URIquery string that can be used to recover the plaintext data from a tokenusing a TSP. The URI may be in the form of a URL that both identifiesand locates the TSP resource capable of recovering plaintext from agiven token. The attribute may support both Hypertext Transfer Protocol(“HTTP”) and HTTP over Secure Sockets Layer (“HTTPS”).

In an embodiment, the general syntax of the query string is:

-   -   ?token₁=value₁&account₂=userID₂&authenticator₃=password₃ . . .

The information in this attribute uses the value of the token componentof a biometric reference template record (or in some embodiments thereference template), and an account value registered by the TSP thatuniquely identifies the user requesting detokenization of the tokenvalue, and the authenticator password or other secret shared by the userand the TSP that is needed to authenticate the access of that user tothe detokenized token value. database that contains the referencetemplate.

In an embodiment, the token component is a value of type Token, definedas:

Token::=OCTET STRING (SIZE (16))

A value of type userID is any type of user account identifier, and avalue of password can be any string of octets, which may or may notcontain structured data, needed to authenticate the user requestingaccess to the detokenized token.

A value of type Token can be used to uniquely determine the location ofany tokenized value controlled by the TSP.

The token vault 134 is structured to store the tokenization schemas thatthe TSP has implemented to tokenize data. In some arrangements, thetoken vault 134 includes the plaintext data associated with thegenerated token.

The customer computing systems 106 include a network interface 136, adisplay 138, a biometric sensor 140, an input/output device 142, and afob 144. The network interface 136 is structured to facilitate operativecommunication between the customer computing systems 106 and othersystems and devices over the network 108. The customer computing systems106 may include smartphones, tablet computing systems, laptop computingsystems, desktop computing systems, PDAs, smart watches, smart glasses,tablets, etc.

The biometric sensor 140 is structured to read a fingerprint, voiceprint, or other biometric marker. Generally, the biometric sensor 140 isany technology type that supports the capture of a biometric. Thebiometric sensor 140 can be used to generate a biometric referencetemplate or a biometric sample used for authentication.

The display 138 is structured to present authentication instructionsand, if authenticated, provide information regarding accountinformation, transaction information, and the like. The input/outputdevice 142 is structured to receive input from the customer via thecustomer computing systems 106. The input/output device 142 is used toenter a user identifier or type in a password to provide additionalauthentication. Additionally, the input/output device 142 may be used toselect a biometric type from a list of possible biometric authenticatorsfor the customer to provide the biometric sample. For example, thecustomer may select to provide a fingerprint, voice, or video option.The input/output device 142 may include a keyboard, a mouse, atouchscreen, a biometric sensor (e.g., a fingerprint sensor), amicrophone, a camera, etc. In some embodiments, the input/output device142 is the same as the biometric sensor 140.

The fob 144 is structured to store a biometric reference templaterecord. In one embodiment, the fob 144 is a hardware device including aprocessor and memory structured to store the biometric referencetemplate record. Although the fob 144 is shown as being separate fromthe customer computing systems 106, in some embodiments, the fob 144 isintegrated in the customer computing systems 106. For example, the fob144 may be implemented via a secure element on a smartphone. If theauthentication management is done properly, the fob biometric referencetemplate record is the same biometric reference template record storedin the BSP computing system 102 for the user. The fob 144 may beprovided by an entity operating the customer computing system 106. Forexample, the user could initiate an authentication request at afinancial institution, provide a biometric sample that is authenticatedby the BSP computing system 102, and present the fob 144 for matchingwith the BSP used biometric reference template record to provide anadditional layer of authentication. The fob 144 biometric referencetemplate record is updated whenever a new biometric reference templaterecord is generated by the BSP. For example, if a new reference samplefor the user is added the fob 144 is updated. The fob 144 biometricreference template record could be updated by accessing the most up todate template on a server and downloading it to the fob 144. In otherembodiments, the fob 144 is automatically updated when the BSP “pushes”the updated biometric reference template record to the BSP computingsystem 102 and the user.

Referring to FIG. 2, a flow diagram of a method 200 of generating abiometric reference template record from a biometric sample is shown,according to an example embodiment. The method 200 is shown inconnection with a BSP and a TSP. For example, the BSP may be an entitythat manages the BSP computing system 102 of FIG. 1. The TSP may be anentity that manages the TSP computing system 104 of FIG. 1. However, themethod 200 may be similarly performed by other systems and devices.

The method 200 begins when a BSP computing system 102 receives abiometric reference sample and a user identifier at 202. The useridentifier is associated with a user that is enrolling in the BSPsservices. The enrollment process may include checking identificationcredentials (e.g., state issued driver's license, birth certificate,etc.) of the user to confirm the user's identity.

At 204, the BSP computing system 102 processes the provided biometricreference sample to generate the biometric data. At 206, the BSPcomputing system 102 transmits a tokenization request and the biometricdata to a TSP computing system 104. At 208, the TSP computing receivesthe tokenization request, tokenizes the biometric data, and transmitsthe tokenized biometric data to the BSP computing system 102.

At 210 the BSP computing system 102 receives the tokenized biometricdata and generates a reference template of the tokenized biometric dataand a biometric reference template record. The biometric referencetemplate record can include a template identifier uniquely identifyingthe biometric reference template, the reference template, and a firstidentifier signifying that the biometric reference template includestokenized biometric data. The template identifier is associated with theuser identifier and may be used for locating the biometric referencetemplate records in the database. In some arrangements, an identifier isstored with the biometric reference template record along with thereference template. An example of this biometric reference templaterecord is shown in FIG. 4A, containing a plurality of OIDs and areference template within a single biometric reference template record.

At 212, the BSP computing system digitally signs the biometric referencetemplate record. In some arrangements, the digital signing is performedusing SignedData cryptographic message syntax to generate a SignedDatamessage. Additional identifiers (e.g., OIDs) may be bound to the messageincluding the biometric reference template record. In some embodiments,the digital signing is performed on a hash of the biometric referencetemplate record, allowing the biometric reference template record to beauthenticated with the hash while limiting processing issues. In someembodiments, the template generation circuit 114 digitally signs thereference template and a second identifier signifying the tokenizationservice provider, the result being included in the biometric referencetemplate record. In other embodiments, the template generation circuit114 digitally signs both the biometric reference template record and thesecond identifier signifying the TSP that tokenized the biometric data.For example, the template generation circuit 114 may use SignedDatacryptographic message syntax to generate a SignedData message, and maybind a second identifier signifying the TSP to the SignedData message.Identifying the tokenization schema on each biometric reference templaterecord would facilitate interoperability in a system with multiple TSPs.In some arrangements, the enrollment and generation of a biometricreference template record generates an event journal entry into arepository.

Referring to FIG. 3, a flow diagram of a method 300 of transmitting abiometric sample to a BSP for authentication is shown, according to anexample embodiment. The method 300 is shown in connection with a BSP anda TSP. For example, the BSP may be an entity that manages the BSPcomputing system 102 of FIG. 1. The TSP may be an entity that managesthe TSP computing system 104 of FIG. 1. However, the method 300 may besimilarly performed by other systems and devices.

The method 300 begins when a user (e.g., a customer of a BSP) enrolls ina biometric system to create a biometric reference template that can beused for subsequent biometric matching at 302. This enrollment processcan be similar to that described in connection with the method 200 ofFIG. 2.

At 304, the BSP computing system 102 receives an authentication request.The authentication request includes a biometric sample and, if therequest is for identity verification, an identifier of the user (a useridentifier). In some embodiments, the user may capture the biometricdata sample using a biometric sensor on the user's computing device andsubmit the sample with the user identifier to the BSP. In otherarrangements, the request is initiated by an employee of the BSPentering data into a computing system (e.g., an employee terminalconnected to the server of the BSP) during a person-to-personinteraction. For example, the user may walk into a branch location ofthe BSP and initiate a service requiring biometric authentication withthe employee. In some embodiments, the user or requesting entity couldalso submit a biometric reference template record stored in a databasewithin the BSP in order to provide an additional level of authenticationand verification.

At 306, the BSP determines what biometric reference template record(s)are needed to complete the authentication request based on the type ofauthentication request (e.g., verification or identification). If averification request is received, the BSP computing system 102 locatesand retrieves the biometric reference template record associated withthe user identifier from the BSP database. In some embodiments, afterreceiving the request, the BSP determines if the user identifier has abiometric reference template record containing the biometric typesimilar to the biometric type of the biometric sample. For example, theBSP may receive a biometric sample of a fingerprint and determine thatwhile a biometric reference template record exists for the useridentifier, the biometric reference template record does not have abiometric type of a fingerprint. In some embodiments, the BSP rejectsthe authentication with details regarding a missing biometric referencetemplate record or biometric data type within the biometric referencetemplate record for that user identifier.

At 306, if an identification request is received, the BSP determines howmany biometric reference template records must be reviewed to find amatch. For example, if the identification request biometric sample is afingerprint, the BSP computing system may retrieve only those biometricreference template records that include a biometric type identifierassociated with a fingerprint scan. In the simplest case the BSPcomputing system 102 stops checking templates (e.g., step 308-312 ofdetokenizing and matching) as soon as the first matching biometricreference template record is located, returning the identity associatedwith that matching biometric reference template record as the identityof the user. In other arrangements, the BSP computing system 102 maycompare the user's biometric sample to all biometric reference templaterecords in the system, in order to verify that the user does not matchmore than one. In the case of multiple matches, the BSP computing system102 may identify the user as the owner of the biometric referencetemplate record with the closest match (e.g., correspondence) to thesample.

At 308, the BSP computing system 102 submits a detokenization requestfor the reference template in the biometric reference template record tothe TSP computing system 104. In some embodiments, the biometricreference template record may contain multiple OIDs, each OID includinga plurality of information including one that includes information forsubmitting a request for detokenizing the tokenized data. In somearrangements, the BSP transmits the entire biometric reference templaterecord to the TSP computing system 104. In other arrangements, just thereference template, which contains the tokenized biometric data, istransmitted to the TSP computing system 104.

At 310, the TSP computing system 104 detokenizes the reference templateto be usable in a matching or processing algorithm between the biometricreference template record that contained the reference template and thesupplied biometric sample. In some embodiments, the biometric referencetemplate record may contain multiple OIDs, each OID including aplurality of information regarding how the TSP boringly tokenized thedata. For example, the OID may indicate a biometric type, thetokenization method used for that part of the biometric referencetemplate record, a tokenized string of the biometric data, a processingalgorithm for the detokenized biometric data, and the like.

At 312, the BSP computing system 102 received the detokenized referencetemplate, either alone or included in the biometric reference templaterecord. At 314 the BSP computing system compares the detokenizedreference template to the received biometric sample using a biometricprocessing algorithm or a biometric matching algorithm. The matchingalgorithm measures the similarity of the sample and the detokenizedbiometric data in the reference template. Each comparison of a samplewith the reference template results yield a score, which is a numericvalue indicating how closely the sample and template match. Generally,the score is related to a given confidence of positive identificationfor the biometric subject which can be factored into the overall rulesand risk policy for the BSP's (or financial institution using the BSP)authorization policy. The method of computing the score can differ amongbiometric technologies, but typical methods include distance metrics,probabilistic measures, and normalized correlation. If the score is inaccordance with the desired score and confidence interval, a binarydecision value, regarding whether the claimant is who they claim to be,is generated. In an identification authentication request, the score mayincorporate account additional indexing or binning information about theuser sample in order to focus the computations of the matching processto biometric reference template records that are most likely to matchthe user sample.

In some embodiments at 314, the biometric sample contains raw biometricdata that is processed using the same algorithm that is used by thesimilar biometric type in the biometric reference template record. Inother embodiments, the detokenized reference template is processed totransform the biometric data back into raw biometric data for comparisonto the biometric sample, which contains raw biometric data. The BSPcomputing system 102 may generate an authentication value that is atleast responsive to the comparison of the biometric reference templaterecord and the biometric sample. The authentication value can be abinary value indicating a match or a non-match. In some embodiments, theBSP can provide additional details or comments regarding a matched orfailed authentication value (e.g., a confidence value). In somearrangements, the BSP may also transmit the biometric reference templaterecord that the BSP used to compare to the biometric sample foradditional authentication by the party that requested theauthentication. In some arrangements, the authentication request,authentication result, and other steps of method 300 generate an eventjournal entry into a repository.

FIG. 4A is an illustration of a tokenized string of biometric data andidentifiers in a biometric reference template record 400, according toan example embodiment. In this arrangement, the biometric referencetemplate record 400 includes a plurality of OIDs or identifiers 402 andthe reference template 404. The identifiers 402 include a biometric typeidentifier 406, a tokenization method identifier 408, a biometricprocessing algorithm identifier 410 and a BSP access and requestidentifier 412. The reference template 404 contains tokenized biometricdata. In some arrangements, these OIDs are stored as attributes of thedigital signature.

The biometric type identifier 406 is an alphanumeric representation ofthe biometric type of the subsequent string of data. In someembodiments, the biometric type identifier 406 can be used to parse outa specific section of the reference template 404 to, for example, matchwith a sample or to replace with a newer biometric reference template ofthat biometric type. The biometric type identifier 406 can be, forexample, a fingerprint, a retina scan, a voice profile, a signature,etc. In some embodiments, the biometric type includes a biometricreference template record identifier that can signal to a BSP, or otherentity, that the data string is a biometric reference template record.

The tokenization method identifier 408 is an alphanumeric representationof the tokenization method used to tokenize the reference template 404.The tokenization method can be any algorithm, matching system, or otherform of processing the private biometric data such that it becomesanonymous and unusable for biometric matching to entities that are notauthorized to have access. In some embodiments, the tokenization methodidentifier 408 indicates the TSP provider that completed thetokenization. For example, the tokenization method identifier 408 mayinclude a URL signifying a tokenization service provider capable ofrecovering plaintext of the tokenized biometric data. In someembodiments, where the TSP and the BSP are the same entity, this OID canrepresent a token method used to tokenize the data.

The biometric processing identifier 410 is an alphanumericrepresentation of the processing method used for processing the rawbiometric data from the biometric sensors into some string of useabledata. Similar to the tokenization method, there are many ways in whichthe raw biometrics can be processed. BSPs can have multiple processingalgorithms that can change over time due to a change in technology usedor in the ownership of the BSP. In some arrangements, there may bemultiple biometric processing identifiers 410 and biometric referencetemplate record 400 for a single raw biometric sample. For example,there may be multiple different biometric reader vendors, such that onebiometric reader may not work the same (e.g., match with the processedalgorithm) at all in some locations, even when the user is authorized.Consequently, multiple biometric reference template records 400, ormultiple reference templates 404 may be generated with a biometricreference template record 400, to allow for matching using vendorspecific hardware, biometric processing algorithms, and biometricmatching methods.

The BSP access and request identifier 412 can be a URL indicating thelocation from which the biometric reference template record 400 may beretrieved. In some embodiments, a financial institution is provided witha biometric reference template record by a user (e.g., on a fob) and theBSP access and request identifier 412 within the biometric referencetemplate record 400 provided by the user allows the financialinstitution to easily use the embedded link to start the authenticationprocess. In some embodiments, the link may require a username andpassword login before the request for authentication can be completed.

The reference template 404 is an alphanumeric representation of theprocessed biometric data in tokenized form. In the tokenized form, thebiometric data is private and anonymous to entities that lack therequisite authorization to view and/or use the biometric data. In somearrangements, the reference template 404 includes OIDs or identifiers,as described below in FIG. 4B.

FIG. 4B is an illustration of a tokenized string of biometric data andidentifiers in a reference template, according to an example embodiment.In this arrangement, the reference template 420 includes a plurality ofOIDs or identifiers and the tokenized biometric data 416. Theidentifiers include a biometric type identifier 406, a tokenizationmethod identifier 408, a biometric processing algorithm identifier 410and a TSP access and request identifier 418. In some arrangements, theseOIDs are stored as attributes of the digital signature. In otherarrangements, such as FIG. 4A, the identifiers are only stored in thebiometric reference template record that contains the reference template420 that just includes the tokenized biometric data 416.

The biometric type identifier 406, the tokenization method identifier408, and the biometric processing algorithm identifier 410 are similarto the identifiers of FIG. 4A. The TSP access and request identifier 418can be a URL indicating the location from which a detokenized, plaintextversion of the tokenized biometric data 416 may be retrieved. Thetokenized biometric data 416 is an alphanumeric representation of theprocessed biometric data in tokenized form. In the tokenized form, thebiometric data is private and anonymous to entities that lack therequisite authorization to view and/or use the biometric data. Possibletokenization schemas include, for example, a token output that isidentical to the processed biometrics in structure and character set butnot value; a token output composed of alphabetic and numeric charactersof varying lengths, generated using a specific algorithm; a token outputidentical to the original data except for a character string indicatingit is a token; and a token output that is a reference ID to a locationin a lookup database containing the corresponding processed biometricdata.

Referring to FIG. 5, a flow diagram of a method 500 for a BSP computingsystem 102 to update a biometric reference template record is shown,according to an example embodiment. The method 500 is shown inconnection with a BSP receiving, from an authorized party, a newbiometric sample to add to the biometric reference template record of auser identifier. For example, the outside party may be a user updatingbiometric information at a BSP. However, the method 500 may be similarlyperformed by other systems and devices.

The method 500 begins when the BSP computing system 102 receives a newbiometric sample from an authorized party to be added to or replace anexisting biometric data type in the biometric reference template recordat 502. The request can be to create a new database entry, supplying theuser identifier and other identifying information along with biometricsample(s) that will be used to generate a biometric reference templaterecord. The request may include adding a new biometric sample of a newbiometric type to an existing biometric reference template record. Inone embodiment, the request includes the user identifier and the newbiometric sample. Another request may include replacing an existingbiometric sample with a new biometric sample. In one embodiment, therequest includes the user identifier and the new version of thebiometric sample.

At 504, the BSP uses the provided user identifier to determine where tolocate the information the BSP has stored in one of the databases. TheBSP could also determine whether or not the requesting party has theproper credentials to make the request.

At 506, the BSP determines if the user identifier is stored on thedatabase. If the user identifier is not in the database, then the BSPcan create a new profile for the information, at 508, and generate andassociate the biometric reference template record with the account. Inthese instances, the BSP may require additional identifying informationto be provided before generating the new user identifier. In someembodiments, the BSP may compare the biometric sample to the biometricdata stored on the BSP servers to ensure that no duplicate user accountswould be generated.

If the user has a user identifier in the database, at 510, the retrievedbiometric reference template record is examined to determine if thebiometric sample is of a new or existing biometric data type. This canbe accomplished by examining a biometric type OID or identifier in thebiometric reference template record. If the provided biometric sample isof a new biometric data type, then the new biometric sample is tokenizedby a TSP and is added to the existing reference template in thebiometric reference template record, at 514. For example, the useridentifier John Smith can have a biometric reference template recordthat contains a voice profile and a fingerprint scan, and the biometrictemplate sample is a scan of John Smith's retina. The retina scan willbe tokenized and added to the biometric reference template record.

If the retrieved biometric reference template record already has theexisting biometric type, at 512, the section of the reference templatein the biometric reference template record corresponding to the oldbiometric data type will be parsed out and replaced with a tokenizedversion of the new biometric sample. In some embodiments, the referencetemplate must be detokenized by a TSP before the old biometric type canbe parsed out and replaced with the new biometric data. At 514, thebiometric data is added to the existing reference template. In somearrangements, the new biometric sample can be individually tokenized andthen added into the existing string of the reference template in thebiometric reference template record. In some arrangements, the biometricsample must be added to the detokenized reference template, and then theresulting new string of data is tokenized to generate the new biometricreference template record.

At 516, the new biometric reference template record is added to thedatabase in place of the old biometric reference template record. At518, the new biometric reference template record is distributed to therelevant and interested entities. In some embodiments, the BSP may waituntil it receives an authentication before it supplies the new biometricreference template record to the requesting party. In some arrangements,the BSP computing system 102 may push the new biometric referencetemplate record to all of the subscribers of the BSP's authenticationservice. In some embodiments, the BSP may also push the new biometricreference template record to the individual associated with the useridentifier. For example, the user may have a fob used to provideadditional authentication and the fob would automatically update, orupdate upon log in, the new biometric reference template record when inrange of the network.

Referring to FIG. 6, a flow diagram of a method of enrollment 600 and amethod of identity verification 604 for a BSP computing system 102 isshown, according to an example embodiment. The enrollment method 600 isshown in connection with a BSP computing system 102 receiving from anauthorized party, a biometric sample to add to the biometric referencetemplate record associated with a pointer. The identity verificationmethod 604 is shown in connection with a BSP computing system 102receiving an verification request with the associated pointer. However,the methods 600 and 604 may be similarly performed by other systems anddevices.

Method 600 begins when a user enrolls with the BSP at 602. Theenrollment process generates a reference template (or biometricreference template record containing the reference template) thatcontains the tokenized biometric data. The BSP may store the user'sreference template in a cloud or blockchain system. At 604, the BSPcomputing system 103 generates and provides a pointer (e.g., in the formof a URI) to the location of the user's template. The pointer can beused by the user for subsequent identity verification. For example, auser could enroll in a biometric service managed by a financialinstitution. The financial institution may store the user's referencetemplate in a cloud or blockchain system and generate a pointer (e.g.,in the form of a URI) to the location of the user's template. Thefinancial institution provides the pointer to the user to allow the userto provide identification to a relying party. The enrollment process maybe similar to method 200 of FIG. 2 and may include checkingidentification credentials (e.g., state issued driver's license, birthcertificate, etc.) of the user to confirm the user's identity.

Subsequent to enrollment, method 606 begins when the user providesidentification (e.g., an account and associated information for thefinancial institution), a biometric match sample, and the pointer to thebiometric reference template record to a relying party. For example, theuser could engage in a transaction at a retailer and provide the pointerand biometric sample to the retailer to initiate the transaction. At608, the BSP computing system 102 receives the claimed identity, thebiometric match sample, and a pointer from the user in connection withan identity verification event. For example, the retailer could sendthis information through a point-of-sale interface to the financialinstitution associated with a BSP/TSP service for verification of theidentity and approval of the transaction amount (e.g., there aresufficient funds in the user's account). In some embodiments, the sampleis tokenized by the retailer at point-of-sale or through an applicationon a user device, thereby allowing the user to not expose theirbiometric sample to the retailer.

At 610 the BSP computing system 102 retrieves the stored referencetemplate, containing the tokenized biometric data, associated with theclaimed identity. At 612, the BSP computing system 102 detokenizes thetokenized biometric data within the reference template. In somearrangements, the BSP computing system 102 must submit a detokenizationrequest for the reference template to the TSP computing system 104. Inother arrangements where the TSP and BSP are the same entity, the BSPcomputing system 102 detokenizes the reference template in-house.

At 614, the BSP computing 102 matches the detokenized biometric datacontained in the reference template to the biometric match sample. Thematching algorithm measures the similarity of the sample and thedetokenized biometric data in the reference template. Each comparison ofa sample with the reference template results yield a score, which is anumeric value indicating how closely the sample and template match.Generally, the score is related to a given confidence of positiveidentification for the biometric subject which can be factored into theoverall rules and risk policy for the BSP's (or financial institutionusing the BSP) authorization policy. If the score is above the thresholdfor a match, at 616, the claimed identity is verified. If the score isbelow the threshold for a match, at 618, the claimed identity is notverified. For example, the retailer that submitted the informationthrough the point-of-sale interface to the financial institutionassociated with the BSP/TSP service for verification may receive fromthe financial institution a signed indication of the match results andtransaction approval. Through method 606, the retailer would never needto enroll the user in a biometric system to benefit from biometricauthentication and the retailer could log all of the pointers to thesigned BSP/TSP match result to have on hand for a repudiation defense.

The embodiments described herein have been described with reference todrawings. The drawings illustrate certain details of specificembodiments that implement the systems, methods and programs describedherein. However, describing the embodiments with drawings should not beconstrued as imposing on the disclosure any limitations that may bepresent in the drawings.

It should be understood that no claim element herein is to be construedunder the provisions of 35 U.S.C. § 112(f), unless the element isexpressly recited using the phrase “means for.”

As used herein, the term “circuit” may include hardware structured toexecute the functions described herein. In some embodiments, eachrespective “circuit” may include machine-readable media for configuringthe hardware to execute the functions described herein. The circuit maybe embodied as one or more circuitry components including, but notlimited to, processing circuitry, network interfaces, peripheraldevices, input devices, output devices, sensors, etc. In someembodiments, a circuit may take the form of one or more analog circuits,electronic circuits (e.g., integrated circuits (IC), discrete circuits,system on a chip (SOCs) circuits, etc.), telecommunication circuits,hybrid circuits, and any other type of “circuit.” In this regard, the“circuit” may include any type of component for accomplishing orfacilitating achievement of the operations described herein. Forexample, a circuit as described herein may include one or moretransistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR,etc.), resistors, multiplexers, registers, capacitors, inductors,diodes, wiring, and so on).

The “circuit” may also include one or more processors communicativelycoupled to one or more memory or memory devices. In this regard, the oneor more processors may execute instructions stored in the memory or mayexecute instructions otherwise accessible to the one or more processors.In some embodiments, the one or more processors may be embodied invarious ways. The one or more processors may be constructed in a mannersufficient to perform at least the operations described herein. In someembodiments, the one or more processors may be shared by multiplecircuits (e.g., circuit A and circuit B may comprise or otherwise sharethe same processor which, in some example embodiments, may executeinstructions stored, or otherwise accessed, via different areas ofmemory). Alternatively or additionally, the one or more processors maybe structured to perform or otherwise execute certain operationsindependent of one or more co-processors. In other example embodiments,two or more processors may be coupled via a bus to enable independent,parallel, pipelined, or multi-threaded instruction execution. Eachprocessor may be implemented as one or more general-purpose processors,application specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), digital signal processors (DSPs), or other suitableelectronic data processing components structured to execute instructionsprovided by memory. The one or more processors may take the form of asingle core processor, multi-core processor (e.g., a dual coreprocessor, triple core processor, quad core processor, etc.),microprocessor, etc. In some embodiments, the one or more processors maybe external to the apparatus, for example the one or more processors maybe a remote processor (e.g., a cloud based processor). Alternatively oradditionally, the one or more processors may be internal and/or local tothe apparatus. In this regard, a given circuit or components thereof maybe disposed locally (e.g., as part of a local server, a local computingsystem, etc.) or remotely (e.g., as part of a remote server such as acloud based server). To that end, a “circuit” as described herein mayinclude components that are distributed across one or more locations.

An exemplary system for implementing the overall system or portions ofthe embodiments might include a general purpose computing computers inthe form of computers, including a processing unit, a system memory, anda system bus that couples various system components including the systemmemory to the processing unit. Each memory device may includenon-transient volatile storage media, non-volatile storage media,non-transitory storage media (e.g., one or more volatile and/ornon-volatile memories), etc. In some embodiments, the non-volatile mediamay take the form of ROM, flash memory (e.g., flash memory such as NAND,3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs,optical discs, etc. In other embodiments, the volatile storage media maytake the form of RAM, TRAM, ZRAM, etc. Combinations of the above arealso included within the scope of machine-readable media. In thisregard, machine-executable instructions comprise, for example,instructions and data which cause a general purpose computer, specialpurpose computer, or special purpose processing machines to perform acertain function or group of functions. Each respective memory devicemay be operable to maintain or otherwise store information relating tothe operations performed by one or more associated circuits, includingprocessor instructions and related data (e.g., database components,object code components, script components, etc.), in accordance with theexample embodiments described herein.

It should also be noted that the term “input devices,” as describedherein, may include any type of input device including, but not limitedto, a keyboard, a keypad, a mouse, joystick or other input devicesperforming a similar function. Comparatively, the term “output device,”as described herein, may include any type of output device including,but not limited to, a computer monitor, printer, facsimile machine, orother output devices performing a similar function.

Any foregoing references to currency or funds are intended to includefiat currencies, non-fiat currencies (e.g., precious metals), andmath-based currencies (often referred to as cryptocurrencies). Examplesof math-based currencies include Bitcoin, Litecoin, Dogecoin, and thelike.

It should be noted that although the diagrams herein may show a specificorder and composition of method steps, it is understood that the orderof these steps may differ from what is depicted. For example, two ormore steps may be performed concurrently or with partial concurrence.Also, some method steps that are performed as discrete steps may becombined, steps being performed as a combined step may be separated intodiscrete steps, the sequence of certain processes may be reversed orotherwise varied, and the nature or number of discrete processes may bealtered or varied. The order or sequence of any element or apparatus maybe varied or substituted according to alternative embodiments.Accordingly, all such modifications are intended to be included withinthe scope of the present disclosure as defined in the appended claims.Such variations will depend on the machine-readable media and hardwaresystems chosen and on designer choice. It is understood that all suchvariations are within the scope of the disclosure. Likewise, softwareand web implementations of the present disclosure could be accomplishedwith standard programming techniques with rule based logic and otherlogic to accomplish the various database searching steps, correlationsteps, comparison steps and decision steps.

The foregoing description of embodiments has been presented for purposesof illustration and description. It is not intended to be exhaustive orto limit the disclosure to the precise form disclosed, and modificationsand variations are possible in light of the above teachings or may beacquired from this disclosure. The embodiments were chosen and describedin order to explain the principals of the disclosure and its practicalapplication to enable one skilled in the art to utilize the variousembodiments and with various modifications as are suited to theparticular use contemplated. Other substitutions, modifications, changesand omissions may be made in the design, operating conditions andarrangement of the embodiments without departing from the scope of thepresent disclosure as expressed in the appended claims.

What is claimed:
 1. A method, comprising: receiving, by anauthentication computing system, a biometric reference sample and a useridentifier, the user identifier uniquely identifying a user from whomthe biometric reference sample was captured; processing, by thecomputing system, the biometric reference sample to generate biometricdata; tokenizing, by the computing system, the biometric data using afirst tokenization schema; tokenizing, by the computing system, thebiometric reference sample using a second tokenization schema;generating, by the computing system, a reference template, the referencetemplate including the tokenized biometric data; generating, by thecomputing system, a biometric reference template record, the biometricreference template record including: a template record identifieruniquely identifying the biometric reference template record, thetemplate record identifier being associated with the user identifier,the reference template, a first identifier identifying that thereference template includes tokenized biometric data, and a secondidentifier identifying that the reference template includes tokenizedreference sample; digitally signing, by the computing system, thereference template using SignedData cryptographic message syntax togenerate a SignedData message; binding, by the computing system, a thirdidentifier to the SignedData message via an attribute of the SignedDatamessage, the third identifier identifying the first tokenization schema,wherein the attribute includes a first uniform resource identifier querystring, the first uniform resource identifier query string including afirst uniform resource locator identifying a first tokenization serviceprovider capable of recovering the biometric data from the tokenizedbiometric data; and binding, by the computing system, a fourthidentifier to the SignedData message via an attribute of the SignedDatamessage, the fourth identifier identifying the second tokenizationschema, wherein the attribute includes a second uniform resourceidentifier query string, the second uniform resource identifier querystring including a second uniform resource locator identifying a secondtokenization service provider capable of recovering the biometricreference sample from the tokenized biometric reference sample.
 2. Themethod of claim 1, further comprising digitally signing, by thecomputing system, each of the reference template and a secondidentifier, the second identifier identifying the tokenization schema.3. The method of claim 1, further comprising digitally signing, by thecomputing system, each of the biometric reference template record and asecond identifier, the second identifier identifying the tokenizationschema.
 4. The method of claim 1, further comprising: generating, by thecomputing system, a hash of the biometric reference template record; andgenerating, by the computing system, a digital signature using the hashof the biometric reference template record.
 5. The method of claim 1,wherein the attribute further includes the template identifier and auniversally unique identifier, the universally unique identifieridentifying a storage location that contains the biometric referencetemplate record that includes the reference template.
 6. The method ofclaim 1, further comprising: receiving, by the computing system, abiometric authentication sample and the user identifier; identifying, bythe computing system, the template identifier associated with the useridentifier; retrieving, by the computing system, the biometric referencetemplate record associated with the template identifier; detokenizing,by the computing system, the reference template using the tokenizationschema to retrieve the biometric data; comparing, by the computingsystem, the biometric data to the biometric authentication sample; andgenerating, by the computing system, a verification value, wherein theverification value is related to the comparison of the biometric data tothe biometric authentication sample.
 7. The method of claim 1, furthercomprising: receiving, by the computing system, a biometricauthentication sample and an identification request; retrieving, by thecomputing system, a plurality of biometric reference template records ina storage location; detokenizing, by the computing system, eachreference template within each of the biometric reference templaterecords using the tokenization schema to retrieve the biometric datafrom each of the reference templates; matching, by the computing system,the biometric data to the biometric authentication sample; andgenerating, by the computing system, an identification message, whereinthe identification massage includes a match value and the useridentifier, the match value is related to the matching of the biometricdata in the plurality of biometric reference template records to thebiometric authentication sample and the user identifier is associatedwith the single biometric reference template record that matched.
 8. Themethod of claim 1, further comprising: generating, by the computingsystem upon the occurrence of a biometric event, a biometric eventjournal entry, the biometric event journal entry representing theoccurrence of biometric event with the biometric reference templaterecord and includes a signifier of the biometric reference templaterecord associated with the biometric event.
 9. The method of claim 1,further comprising: receiving, the computing system, a second biometricreference sample and the user identifier; retrieving, by the computingsystem, the biometric reference template associated with the templateidentifier associated with the user identifier; processing, by thecomputing system, the second biometric reference sample to generatesecond biometric data; tokenizing, by the computing system, the secondbiometric data using a tokenization schema; and replacing, by thecomputing system, the tokenized biometric data with the second tokenizedbiometric data, wherein the biometric reference template includes: thetemplate identifier, the tokenized second biometric data, and a firstidentifier identifying that the biometric reference template includestokenized biometric data.
 10. A system, comprising: a storage locationcomprising a plurality of biometric reference templates containingtokenized biometric data; an authentication server system, the serversystem comprising a processor and instructions stored in non-transitorymachine-readable media, the instructions configured to cause the serversystem to: receive a biometric reference sample and a user identifier,the user identifier uniquely identifying a user from whom the biometricreference sample was captured; process the biometric reference templateto generate biometric data; tokenize the biometric data using a firsttokenization schema; tokenize the biometric reference sample using asecond tokenization schema; generate a biometric reference template, thebiometric reference template including: a template identifier uniquelyidentifying the biometric reference template, the template identifierbeing associated with the user identifier, the tokenized biometric data,a first identifier identifying that the biometric reference templateincludes tokenized biometric data, and a second identifier identifyingthat the reference template includes tokenized reference sample;digitally sign the tokenized biometric data using SignedDatacryptographic message syntax to generate a SignedData message; bind athird identifier to the SignedData message via an attribute of theSignedData message, the third identifier identifying the firsttokenization schema, wherein the attribute includes a first uniformresource identifier query string, the first uniform resource identifierquery string including a first uniform resource locator identifying atokenization service provider capable of recovering biometric data fromthe tokenized biometric data; and bind a fourth identifier to theSignedData message via an attribute of the SignedData message, thefourth identifier identifying the second tokenization schema, whereinthe attribute includes a second uniform resource identifier querystring, the second uniform resource identifier query string including asecond uniform resource locator identifying a second tokenizationservice provider capable of recovering the biometric reference samplefrom the tokenized biometric reference sample.
 11. The system of claim10, wherein the instructions are further configured to cause the serversystem to digitally sign each of the tokenized biometric data and asecond identifier, the second identifier identifying the tokenizationschema.
 12. The system of claim 10, wherein the instructions are furtherconfigured to cause the server system to digitally sign each of thebiometric reference template record and a second identifier, the secondidentifier identifying the tokenization schema.
 13. The system of claim10, wherein the instructions are further configured to cause the serversystem to: generate a hash of the biometric reference template; andgenerate a digital signature using the hash of the biometric referencetemplate record.
 14. The system of claim 10, wherein the attributefurther includes the template identifier and a universally uniqueidentifier, the universally unique identifier identifying a storagelocation that contains the biometric reference template.
 15. The systemof claim 10, wherein the instructions are further configured to causethe server system to: receive a biometric authentication sample and theuser identifier; retrieve the biometric reference template associatedwith the template identifier associated with the user identifier;detokenize the tokenized biometric data using the tokenization schema toretrieve the biometric data; compare the biometric data to the biometricauthentication sample; and generate a verification value, wherein theverification value is related to the comparison of the biometric data tothe biometric authentication sample.
 16. The system of claim 10, whereinthe instructions are further configured to cause the server system to:receive a biometric authentication sample an identification request;retrieve a plurality of biometric reference template records in astorage location; detokenize each reference template using thetokenization schema to retrieve the biometric data; match the biometricdata to the biometric authentication sample; and generate anidentification message, wherein the identification massage includes amatch value and the user identifier, the match value is related to thematching of the biometric data in the plurality of biometric referencetemplate records to the biometric authentication sample and the useridentifier is associated with the single biometric reference templaterecord that matched.
 17. The system of claim 10, wherein theinstructions are further configured to cause the server system to:generate an enrollment event journal entry, the enrollment event journalentry represents the generation of the biometric reference templaterecord, wherein the enrollment event journal entry includes a signifierof the biometric reference template record generated; and publish theenrollment event journal entry to a repository.
 18. The system of claim8, wherein the instructions are further configured to cause the serversystem to: receive a second biometric reference sample and the useridentifier; retrieve the biometric reference template associated withthe template identifier associated with the user identifier; processingthe second biometric reference template to generate second biometricdata; tokenize the second biometric data using a tokenization schema;and replace the tokenized biometric data with the second tokenizedbiometric data, wherein the biometric reference template includes: thetemplate identifier, the tokenized second biometric data, and a firstidentifier identifying that the biometric reference template includestokenized biometric data.
 19. A method, comprising: receiving, by anauthentication computing system, a biometric reference sample and a useridentifier, the user identifier uniquely identifying a user from whomthe biometric reference sample was captured; processing, by thecomputing system, the biometric reference sample to generate biometricdata; tokenizing, by the computing system, the biometric data using afirst tokenization schema; tokenizing, by the computer system, thebiometric reference sample using a second tokenization schema;generating, by the computing system, a reference template, the referencetemplate including the tokenized biometric data and tokenized biometricreference sample, wherein the reference template is associated with theuser identifier publishing, by the computing system, the referencetemplate on a public repository; generating, by the computing system, apointer, the pointer being associated with the reference template on thepublic repository and used for subsequent identity verification of theuser; receiving, by the computing system, a biometric match sample andthe pointer; identifying, by the computing system, the referencetemplate associated with the pointer; retrieving, by the computingsystem, the reference template associated with the pointer;detokenizing, by the computing system, the reference template using thefirst tokenization schema to retrieve the biometric data; anddetokenizing, by the computing system, the reference template using thesecond tokenization schema to retrieve the biometric reference sample.20. The method of claim 19, further comprising: comparing, by thecomputing system, the biometric data to the biometric match sample; andgenerating, by the computing system, a verification value, wherein theverification value is related to the comparison of the biometric data tothe biometric match sample.
 21. The method of claim 1, wherein the firsttokenization service provider and the second tokenization serviceprovider are identical.
 22. The method of claim 10, wherein the firsttokenization service provider and the second tokenization serviceprovider are identical.